Think of a building with multiple departments on different floors, each needing its own network but also needing to talk to each other. Router-on-a-Stick is the classic, cost-effective way to enable inter-VLAN routing using a single router and a single trunk link. For the CCNA 200-301 exam (objective 3.1), you must master this configuration and troubleshooting—it appears in both simulation and multiple-choice questions, testing your understanding of VLANs, trunking, and subinterfaces.
Jump to a section
Imagine an apartment building with 10 floors. Each floor has its own mailroom (a VLAN) where residents of that floor send and receive mail. But residents on floor 2 sometimes need to send packages to residents on floor 5. The building has a central mail processing center (the router) located on the ground floor. However, there's only one elevator shaft (the trunk link) connecting all floors to the ground floor. To make this work, the mail center assigns a dedicated mailbox slot (subinterface) for each floor. When a package from floor 2 needs to go to floor 5, it is first placed in the elevator with a label (802.1Q tag) indicating it came from floor 2. The elevator descends to the ground floor and the mail center sees the label. It then re-labels the package for floor 5 and sends it back up the same elevator shaft. The elevator is a single physical path, but the labels keep each floor's mail separate. If the mail center didn't use labels, packages from different floors would mix, causing chaos. Similarly, without 802.1Q tagging on the trunk, frames from different VLANs would collide. The mail center must have a dedicated slot for each floor; if a floor doesn't have a slot, its mail is never processed. This is exactly how a router-on-a-stick works: one physical interface, multiple subinterfaces, each tied to a specific VLAN via 802.1Q encapsulation.
What is Router-on-a-Stick?
Router-on-a-Stick (ROAS) is a method of inter-VLAN routing where a single physical router interface connects to a switch via a trunk link. The router uses subinterfaces to route between VLANs. This is the most common way to implement inter-VLAN routing in small-to-medium networks without a multilayer switch. On the CCNA exam, you will be expected to configure ROAS, verify it, and troubleshoot common issues like mismatched native VLANs or missing encapsulation commands.
Why Do We Need It?
By default, VLANs are separate broadcast domains. Hosts in VLAN 10 cannot communicate with hosts in VLAN 20 without a Layer 3 device. A router can forward traffic between VLANs, but it needs to have an interface in each VLAN. Instead of using multiple physical interfaces (expensive and inefficient), ROAS uses one physical interface with multiple logical subinterfaces, each assigned to a different VLAN. The switch port connected to the router must be configured as a trunk to carry multiple VLANs.
How It Works Step by Step
1. Host A in VLAN 10 sends a packet to Host B in VLAN 20. - Host A knows its own IP and subnet mask. It determines that Host B is on a different subnet. It sends the frame to its default gateway (the router's subinterface for VLAN 10). - The frame has a destination MAC of the router's subinterface MAC (or the physical interface MAC if subinterfaces use the same MAC). The source MAC is Host A's MAC. The frame is untagged because it's on an access port.
2. Switch receives the frame on an access port in VLAN 10. - The switch adds an 802.1Q tag with VLAN 10 to the frame (if the trunk port uses 802.1Q). It then forwards the frame out the trunk port to the router.
3. Router receives the tagged frame on its physical interface. - The router sees the 802.1Q tag. It strips the tag and processes the frame on the subinterface associated with VLAN 10. The router looks up the destination IP in its routing table. It finds a route to VLAN 20 via its subinterface for VLAN 20.
4. Router rewrites the frame. - The router changes the source MAC to its subinterface VLAN 20 MAC, and the destination MAC to Host B's MAC (obtained via ARP). It then sends the frame out the physical interface with an 802.1Q tag for VLAN 20.
5. Switch receives the tagged frame on the trunk port. - The switch strips the tag, sees VLAN 20, and forwards the frame out the access port in VLAN 20 to Host B.
Key Configuration Details
Subinterface numbering: Typically matches the VLAN ID (e.g., GigabitEthernet0/0.10 for VLAN 10). This is a best practice but not required.
Encapsulation: Each subinterface must have the encapsulation dot1Q <vlan-id> command. If you omit this, the subinterface will not process tagged frames.
Native VLAN: By default, the native VLAN is VLAN 1. Frames on the native VLAN are sent untagged on the trunk. The router's subinterface for the native VLAN must use encapsulation dot1Q <vlan-id> native to accept untagged frames. A common exam trap: if the native VLAN on the switch trunk is changed, the router subinterface must also be configured as native.
IP address: Each subinterface gets an IP address in the respective VLAN's subnet. This IP serves as the default gateway for hosts in that VLAN.
Physical interface state: The physical interface must be up/up. If it's down, all subinterfaces are down.
Verification Commands
Use the following IOS commands to verify ROAS:
show ip interface briefExample output:
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES NVRAM up up
GigabitEthernet0/0.10 192.168.10.1 YES manual up up
GigabitEthernet0/0.20 192.168.20.1 YES manual up upshow interfaces gigabitEthernet 0/0.10Example output snippet:
GigabitEthernet0/0.10 is up, line protocol is up
Hardware is GigaFast Ethernet, address is 001e.4a7b.5c01 (bia 001e.4a7b.5c01)
Internet address is 192.168.10.1/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
Encapsulation 802.1Q Virtual LAN, Vlan ID 10.show vlansThis command shows VLANs configured on the router, including subinterfaces and encapsulation.
Interaction with Related Protocols
STP (Spanning Tree Protocol): The trunk link between switch and router is a single link. STP does not block it because it's a point-to-point link. However, if you have redundant trunk links to multiple routers, STP may block one to prevent loops.
CDP/LLDP: These protocols run on the physical interface, not subinterfaces. They help discover neighbors.
Dynamic Trunking Protocol (DTP): The switch trunk port should be set to switchport mode trunk or switchport mode dynamic desirable to form a trunk. DTP negotiation can cause issues if the router doesn't support DTP (routers do not run DTP). Therefore, always set the switch port to switchport mode trunk.
Common Pitfalls
Missing encapsulation: The most common mistake. Without encapsulation dot1Q, the subinterface will not accept tagged frames.
Native VLAN mismatch: If the switch trunk has a different native VLAN than the router expects, control traffic (CDP, STP) may fail, and data frames on the native VLAN may be dropped or misdelivered.
IP address mismatch: The router subinterface IP must be in the same subnet as the hosts in that VLAN. A common error is using a /24 mask when the host subnet is /25.
Trunk not established: If the switch port is not trunking, frames from multiple VLANs will not reach the router. Verify with show interfaces trunk on the switch.
Configure switch trunk port
On the switch, configure the port connecting to the router as a trunk. This allows frames from multiple VLANs to traverse the link. Use the following commands: ``` interface GigabitEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk native vlan 99 ``` - `switchport trunk encapsulation dot1q` sets the trunking protocol to 802.1Q (only needed on older switches that support ISL). - `switchport mode trunk` forces the port to be a trunk, disabling DTP negotiation. - `switchport trunk native vlan 99` changes the native VLAN to 99 (a best practice for security). Ensure the router subinterface for VLAN 99 is configured with the `native` keyword. If the native VLAN is not changed, leave it as VLAN 1. The router subinterface for VLAN 1 must then use `encapsulation dot1Q 1 native`.
Configure router subinterfaces
On the router, enter global configuration mode and configure the physical interface with subinterfaces. Each subinterface corresponds to a VLAN. Example for VLANs 10, 20, and 99 (native): ``` interface GigabitEthernet0/0 no shutdown interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ip address 192.168.10.1 255.255.255.0 interface GigabitEthernet0/0.20 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 interface GigabitEthernet0/0.99 encapsulation dot1Q 99 native ip address 192.168.99.1 255.255.255.0 ``` - The physical interface must be `no shutdown`. - Each subinterface must have `encapsulation dot1Q <vlan-id>`. - For the native VLAN, add the `native` keyword. - Assign an IP address that serves as the default gateway for hosts in that VLAN.
Configure host default gateways
On each host (PC), configure the default gateway to be the IP address of the router subinterface for that VLAN. For example, a host in VLAN 10 should have default gateway 192.168.10.1. This is typically done via DHCP or static configuration. In the exam, you may be given a scenario where hosts cannot ping each other because the default gateway is missing or incorrect. Always verify the host's IP configuration with `ipconfig` (Windows) or `ifconfig` (Linux).
Verify trunk and subinterfaces
Use verification commands to ensure the trunk is operational and subinterfaces are up. On the switch: ``` show interfaces trunk ``` Example output: ``` Port Mode Encapsulation Status Native vlan Gi0/1 on 802.1q trunking 99 Port Vlans allowed on trunk Gi0/1 1-1005 Port Vlans allowed and active in management domain Gi0/1 10,20,99 ``` On the router: ``` show ip interface brief show vlans ``` Ensure the subinterface status is up/up. If a subinterface is down, check the physical interface and the encapsulation command. Also verify that the switch trunk port is in the correct VLANs with `show interfaces trunk`.
Test inter-VLAN connectivity
From a host in one VLAN, ping a host in another VLAN. For example, from PC1 (192.168.10.10) ping PC2 (192.168.20.10). If successful, ROAS is working. If not, troubleshoot: 1. Check that the router has a route to both subnets. The router should have directly connected routes for each subinterface. Use `show ip route`. 2. Verify that the switch trunk is allowing the VLANs. Use `show interfaces trunk`. 3. Check that the hosts have the correct default gateway. 4. Ensure that the router's subinterface encapsulation matches the VLAN ID. 5. Check for ACLs that might be blocking traffic. A common exam scenario: hosts in the same VLAN can communicate, but inter-VLAN ping fails. This usually points to a problem with the router or trunk.
Troubleshoot native VLAN mismatch
A native VLAN mismatch is a frequent issue. If the switch trunk port has native VLAN 99, but the router subinterface for VLAN 99 is not configured as native, the router will drop untagged frames. Conversely, if the router expects native VLAN 1 but the switch sends untagged frames for VLAN 99, the router will associate them with VLAN 1. Symptoms: CDP/LLDP neighbors not appearing, STP issues, and inter-VLAN routing failure for the native VLAN. To fix, ensure both sides agree on the native VLAN. On the switch, use `show interfaces trunk` to see the native VLAN. On the router, use `show vlans` to see which subinterface is native. If they mismatch, reconfigure one side to match.
In a typical enterprise, you might have a branch office with 50 users spread across three VLANs: VLAN 10 for Management, VLAN 20 for Sales, and VLAN 30 for Engineering. Instead of buying a Layer 3 switch (which can be expensive), the network engineer uses a single router (e.g., Cisco ISR 1100) and a single trunk link to an existing Layer 2 switch. This setup is cost-effective and easy to manage. The router also provides WAN connectivity and firewall features. The engineer configures subinterfaces for each VLAN, sets the native VLAN to an unused ID (e.g., 999) for security, and ensures the switch trunk port is set to trunk mode. Performance is adequate for up to about 200 Mbps of inter-VLAN traffic, as the single link can become a bottleneck. If the router supports, you can use EtherChannel to increase bandwidth, but that adds complexity.
Another common scenario is in a data center where a virtualization host has multiple VLANs. The host connects to a top-of-rack switch via a trunk, and a router-on-a-stick provides routing between VLANs for management traffic. This is often temporary until a Layer 3 switch is deployed.
Misconfiguration can lead to interesting failures. I once saw a network where the native VLAN on the switch was changed to 999, but the router subinterface for VLAN 1 remained as native. This caused all untagged frames (including CDP) to be dropped, so the router couldn't see the switch via CDP. The fix was to add the native keyword to the subinterface for VLAN 999. Another time, a junior engineer forgot the encapsulation dot1Q command on one subinterface, causing that VLAN to lose connectivity. The symptom was that hosts in that VLAN could not ping the default gateway, but hosts in other VLANs were fine. A quick show vlans revealed the missing encapsulation.
The CCNA 200-301 exam tests Router-on-a-Stick under objective 3.1: 'Configure and verify VLANs and inter-VLAN routing (router on a stick)'. Expect a simulation where you must configure ROAS on a router and a trunk on a switch, then verify connectivity. Also expect multiple-choice questions that test your understanding of concepts, especially the encapsulation command and native VLAN handling.
Most common wrong answers:
1. 'The router interface must be configured as a trunk.' Routers do not have a 'switchport mode trunk' command. That is a switch command. Candidates confuse router and switch configuration.
2. 'Subinterfaces must use the same MAC address as the physical interface.' By default, all subinterfaces share the same MAC address. However, you can use the mac-address command to change it. The exam expects you to know they share by default.
3. 'The native VLAN must be configured on the router with the native keyword, or it will not work.' Actually, if the native VLAN is VLAN 1 (default), the router subinterface for VLAN 1 does not need the native keyword if you intend to send tagged frames for VLAN 1. But best practice is to use the native keyword for untagged frames. The exam may test that native VLAN frames are sent untagged, so the router must be configured to accept them untagged.
4. 'You need a separate physical interface for each VLAN.' This is the whole point of ROAS – to avoid that.
Specific values and commands:
- encapsulation dot1Q <vlan-id> [native] – exact syntax.
- show vlans – shows subinterfaces and encapsulation.
- show interfaces trunk – shows trunk status and native VLAN.
Decision rule: When you see a question about inter-VLAN routing with a single router link, think ROAS. The answer will involve subinterfaces and encapsulation. If a host in one VLAN cannot ping a host in another, but can ping its default gateway, the problem is likely on the router (missing route or ACL). If the host cannot ping its default gateway, check the trunk and encapsulation.
Router-on-a-Stick uses subinterfaces with `encapsulation dot1Q <vlan-id>` to route between VLANs.
The switch port must be configured as a trunk with `switchport mode trunk`.
The native VLAN on both sides must match; use `encapsulation dot1Q <vlan-id> native` on the router for the native VLAN.
The physical router interface must be `no shutdown` for subinterfaces to come up.
Verify with `show ip interface brief`, `show vlans`, and `show interfaces trunk`.
A common exam trap: forgetting the `encapsulation` command on a subinterface.
ROAS is a cost-effective solution for small-to-medium networks without a Layer 3 switch.
These come up on the exam all the time. Here's how to tell them apart.
Router-on-a-Stick (ROAS)
Uses a router with subinterfaces on a single trunk link.
Requires a separate router device.
Slower because traffic must leave the switch, go to the router, and come back.
Cost-effective for small networks.
Configuration involves subinterfaces and encapsulation commands.
Multilayer Switch (SVI)
Uses a Layer 3 switch with SVIs (VLAN interfaces).
All-in-one device (switch + router).
Faster because routing is done in hardware (ASICs).
More expensive but scalable.
Configuration involves creating VLAN interfaces and enabling IP routing.
Mistake
The router interface must be configured as a trunk port using `switchport mode trunk`.
Correct
Routers do not have the `switchport` command. Only switches use `switchport mode trunk`. The router uses subinterfaces with `encapsulation dot1Q`.
Candidates confuse switch and router configuration because both devices can handle VLANs.
Mistake
Each subinterface must have a unique MAC address.
Correct
By default, all subinterfaces share the same MAC address as the physical interface. You can change it with the `mac-address` command, but it's not required.
Candidates think subinterfaces behave like separate physical interfaces.
Mistake
The native VLAN must always be configured on the router with the `native` keyword, or frames will be dropped.
Correct
If the native VLAN is VLAN 1 (default), the router subinterface for VLAN 1 does not need the `native` keyword if you intend to send tagged frames for VLAN 1. However, the native VLAN frames are sent untagged, so to accept untagged frames, you must use the `native` keyword. If you omit it, the subinterface will only accept tagged frames.
Candidates misunderstand the purpose of the native keyword – it tells the router to accept untagged frames on that subinterface.
Mistake
Router-on-a-Stick requires a Layer 3 switch.
Correct
ROAS uses a router, not a Layer 3 switch. The switch is Layer 2 and only forwards frames based on VLAN tags. The router does the routing.
Candidates confuse ROAS with SVIs (Switch Virtual Interfaces) which are used on multilayer switches.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Router-on-a-stick uses an external router connected to a Layer 2 switch via a trunk link. The router performs inter-VLAN routing. A Layer 3 switch (multilayer switch) has built-in routing capabilities; it uses SVIs (Switch Virtual Interfaces) to route between VLANs internally without needing an external router. ROAS is cheaper but slower because traffic must leave the switch, go to the router, and come back. Layer 3 switches are faster and more scalable but more expensive. On the CCNA exam, know both methods and their configuration differences.
The `encapsulation dot1Q` command tells the router to use 802.1Q trunking on that subinterface. It specifies which VLAN ID the subinterface belongs to. Without this command, the subinterface will not process tagged frames, and the router will not be able to route for that VLAN. The command also enables the subinterface to accept and send frames with the appropriate VLAN tag. In short, it's essential for ROAS to work.
The native VLAN is the VLAN that carries untagged frames on a trunk. By default, it is VLAN 1. On a router subinterface, you must use the `native` keyword in the `encapsulation dot1Q` command to accept untagged frames for that VLAN. For example, `encapsulation dot1Q 99 native`. If the native VLAN on the switch is changed, the router must have a corresponding subinterface with the `native` keyword. If they mismatch, CDP/LLDP may fail, and data frames on the native VLAN may be dropped.
On modern Cisco switches and routers, only 802.1Q is supported. ISL is legacy and not covered in CCNA 200-301. The switch command `switchport trunk encapsulation dot1q` sets the encapsulation to 802.1Q. If the switch supports ISL, you must explicitly set it to 802.1Q. The router only supports 802.1Q encapsulation on subinterfaces. So, you must use 802.1Q.
First, check the host's IP configuration: ensure the default gateway is set to the router subinterface IP for VLAN 10. Then, on the switch, verify that the port connected to the host is in VLAN 10 (`show vlan brief`). Also, check the trunk port: `show interfaces trunk` should show VLAN 10 as allowed. On the router, verify that subinterface G0/0.10 is up/up and has the correct IP. Use `show ip interface brief` and `show vlans`. If everything looks correct, check for ACLs on the router that might block traffic. Also, ensure the router has a route to the host's subnet (it should be directly connected).
The `no shutdown` command enables the physical interface. If the physical interface is administratively down, all subinterfaces will also be down. Even if subinterfaces are configured correctly, they will not come up until the physical interface is up. Always ensure the physical interface is `no shutdown` and that the cable is connected. Use `show ip interface brief` to verify the status.
Yes, but it requires additional configuration like HSRP or VRRP for first-hop redundancy. Each router would have its own subinterfaces and would need to be configured with the same IP address on the subinterface (using HSRP virtual IP). The switch would connect to both routers via trunk links. This is more complex and beyond CCNA scope, but it's possible. On the exam, you will only deal with a single router.
You've just covered Lab: Router-on-a-Stick Inter-VLAN Routing — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?